Frameworks
6 min

ISO 27001:2022 Annex A — What Changed and How to Prepare

The 2022 revision restructured Annex A from 14 control categories to 4 themes with 93 controls. Here is what changed and how to transition.

Netallion Team·January 28, 2026

ISO 27001:2022 Annex A — What Changed and How to Prepare

The 2022 revision of ISO 27001 brought the most significant changes to Annex A since the standard's inception. If you are certified to the 2013 version, you must transition by 31 October 2025. If you are pursuing first-time certification, you should certify against 2022 directly.

What Changed

Structural Reorganisation

The old structure of 14 control categories with 114 controls has been replaced with 4 themes and 93 controls:

  • Organisational Controls (A.5) — 37 controls covering policies, roles, asset management, access control, and supplier relationships
  • People Controls (A.6) — 8 controls covering screening, employment, awareness, and disciplinary processes
  • Physical Controls (A.7) — 14 controls covering physical perimeters, equipment, utilities, and storage media
  • Technological Controls (A.8) — 34 controls covering endpoint security, access management, cryptography, development, and monitoring

New Controls

11 entirely new controls were added:

  1. A.5.7 — Threat intelligence
  2. A.5.23 — Information security for use of cloud services
  3. A.5.30 — ICT readiness for business continuity
  4. A.7.4 — Physical security monitoring
  5. A.8.9 — Configuration management
  6. A.8.10 — Information deletion
  7. A.8.11 — Data masking
  8. A.8.12 — Data leakage prevention
  9. A.8.16 — Monitoring activities
  10. A.8.23 — Web filtering
  11. A.8.28 — Secure coding

Control Attributes

Each control now carries five attributes for better categorisation:

  • Control type — Preventive, Detective, Corrective
  • Information security properties — Confidentiality, Integrity, Availability
  • Cybersecurity concepts — Identify, Protect, Detect, Respond, Recover
  • Operational capabilities — 15 categories from governance to physical security
  • Security domains — Governance, Protection, Defence, Resilience

How to Transition

Step 1: Gap Analysis

Compare your current 2013 controls against the 2022 structure. Netallion's ISO 27001 module maps all 93 controls with applicability tracking through the Statement of Applicability editor.

Step 2: Update Your SoA

The Statement of Applicability must be rewritten against the new control structure. For each of the 93 controls, document whether it is applicable, the justification, and the implementation status.

Step 3: Address New Controls

Focus on the 11 new controls. Most organisations already have some coverage through existing practices, but formal documentation is typically missing:

  • Threat intelligence — document your threat monitoring sources and processes
  • Cloud security — formalise your cloud governance approach
  • Secure coding — document your development security practices

Step 4: Update Documentation

Revise your risk treatment plan, internal audit procedures, and management review processes to reference the new control numbering.

How Netallion Helps

Netallion provides the complete 2022 Annex A control set with:

  • 40 key controls mapped across all 4 themes
  • SoA editor with DOCX export
  • Cross-framework mapping to NIST CSF and SOC 2
  • Starter kit with policy templates and register structures
Create your ISO 27001 assurance pack at grc.netallion.app.
ISO 27001
Annex A
ISMS
Certification

Ready to build your compliance evidence pack?

Start with a free starter kit or create your first assurance pack.